Dry | MySQL database security of trial

Others 2019-06-17 06:25:03 views: null

Dry | MySQL database security audit of

Original: Li Yong Jingdong cloud developer community   today

Every company wants business growth, the best product or a few burst explosion models business, thus boosting the company's revenue climbed high speed. But standing in the database administrator's perspective, this is real pressure, business growth will inevitably bring about the amount of data explosion. Selection and design of database systems is an important factor to support the entire business system.

MySQL database is one of cloud-based native database products, cloud native cloud database an important driving force, compared to traditional self-built database, cloud databases with greater flexibility and scalability than a single database.

Database auditing is mainly used to monitor and record the behavior of various types of operations on the database server, and recorded in the audit log or a database for future tracking, query, analysis, in order to achieve the monitoring and auditing user actions. Auditing is a very important job, an important part of corporate data security system.

MySQL Enterprise Edition comes with the audit function, but need to pay. MySQL Community Edition does not audit function, based on cost considerations, many users using MySQL Community Edition as a business system database. MySQL Community Edition uses how important audit function, the paper self-built cloud services and two cases to answer this question.

Self-built MySQL database scene

Self-built database of all paper-based test environment is window10 MySQL5.7 this version.

Method one Genreal Log

By default, MySQL does not open the General log; after opening General log, all reaching the MySQL Server MySQL SQL statement will be recorded.

Open General log steps:

** 1 ** View General Log to open the case: execute SQL commands show variables like '% general_log%'; you can see that the default is OFF general_log of:

** 2 ** open General Log: execute the SQL command set global general_log = on then see general_log opened:

** 3 ** Verification: After general_log turned on, all SQL access will be recorded in the log file general_log_file points. We perform several test SQL statements:

ZB-PF11H2E3.log then view the contents of the log file inside, we saw just did the operation have been recorded in the log:

General Log open as long as the user performs the operation, rightly or wrongly, MySQL will log, in which case the amount of log will be very large impact on the efficiency of the database. Therefore, we generally do not recommend the opening and function, may temporarily open a period of time in individual cases for investigation and failure to use.

Method two BinLog + Init_connect

BinLog is left behind MySQL operation log, BinLog on the one hand can be used to restore the master database from the copy on the other hand it can be used for auditing database.

Since BinLog log which can not query information such as who is in what period of time logged in, the lack of the necessary audit information. In MySQL, each connection will first perform initialization init_connect connection, we can obtain a login name and a thread ID value of the user here. Then with BinLog, can be traced to the operation time, operator and other information for each statement of operations, log information plus BinLog implementation audit.

Configuration and verification process is as follows:

** 1 ** create databases and tables with the audit:

** 2 ** Create a user has rights to operate auditdb data:

If you already have a user, you need to add permission to operate auditdb of existing users:

1MySQL> insert into mysql.db (Host,Db,User1,Insert_priv) values ('%','auditdb','','Y');
2Query OK, 1 row affected (0.03 sec)
3MySQL> flush privileges;
4Query OK, 0 rows affected (0.00 sec)

3 **, ** init_connect set, restart the MySQL database and add the following initialization parameter file [MySQL] section:

1log-bin = mysql-bin # open Binlog 
2init_connect = 'INSERT INTO auditdb.accesslog (ConnectionID, connectionuser, LoginTime) values (The connection_id (), User (), now ());' initial connection parameter set #

4 **, ** with user1 user logs in, do some writing and erasing operations;

5 **, ** Check with mysqlbinlog tool BinLog, find the corresponding ThreadId According delete operation, then find the user login information ThreadID according to the audit log table auditdb.accesslog created earlier inside:

View the contents of the current binlog mysqlbin.000029 and find the delete operation corresponding ThreadID D: \ mysql57 \ bin> mysqlbinlog ../data/mysql-bin.000029

You can learn from Binlog delete Test2 table corresponding threadid 8, according to ThreadID view the user's login information in the audit table, you can delete that this operation is an operation performed by the user user1 in this machine.

** Note: ** In this way the audit, because the init-connect is performed only when connected, will not have a big impact on the performance of the database, but init-connect does not record the record with root privileges.

Method three plug-ins using audit

In addition to the commercial version of the audit plug-in, there are three types of common audit plug Percona Audit Log Plugin, MariaDB Audit Plugin, McAfee MySQL Audit Plugin. Functionally similar these plug-ins, just to show the content and format is slightly different. Our MariaDB Audit Plugin, for example, tell you how to use the plug-in way to achieve audit Mysql data.

First, download and install

** 1 ** download MariaDB Audit Plugin plugin (Download: downloads.mariadb.org/mariadb/5.5... )

2 **, ** installation: the copying server_audit.dll to the corresponding plug-in library in mysql D: \ mysql57 \ lib \ plugin, the install the install command:

3 **, ** installation verification: Mysql> show variables like '% audit%'

Second, the key audit Parameter Description

  • server_audit_logging: enable or disable auditing

  • server_audit_events: Specifies the type of event records, a plurality of values ​​(connect, query, table) may be separated by a comma, the default audit representative of all events is empty.

  • server_audit_incl_users: specify which user activity is logged, the default audit all users, this variable is higher than the priority server_audit_excl_users

  • server_audit_excl_users: Specify which does not record user behavior

  • server_audit_output_type: Specifies the type of log output, may be output to the FILE or SYSLOG audit file, default

Third, the audit procedure example

** 1 ** open audit mysql> set global server_audit_logging = on

Because the test is to verify that the rest of us are by default parameter settings.

** 2 ** perform some database operations:

** 3 ** view audit logs, server_audit.log, default data directory:

We saw just now in operation Mysql database have been audited on.

RDS scene using public cloud services

The current popularity of cloud computing, cloud providers offer cloud database service, of course, it is a cloud Mysql database is an important service. Compared to traditional databases, cloud database easy to deploy, manage and scale, to provide data reliability, security, health monitoring and other full set of solutions. So on a cloud Mysql database is how to achieve audit of the database it? We Jingdong Mysql database and so on, for example, Jingdong cloud Mysql audit function by MariaDB Audit Plugin plug-in implementation. Here to tell you to open cloud Mysql database auditing, use, close the other functions.

** 1 ** Log cloud database RDS Management Console;

** 2 ** SQL Select query audit target instance, click on the target instance, enter the instance details page, switch to SQL audit Tab page;

** 3 ** click audit state of the switch can be switched on and off-line audit;

4 ** ** perform some database operations, and then see the audit data. After the audit is turned on, SQL query specification audit functions are as follows:

  • Execution Time: You can select a time interval of 7 days to push forward from the current time, as a SQL query audit period;

  • Database: You can see the SQL statement to specify the database;

  • Account: You can view the account designated by the SQL statement.

5 **, ** click on the search button to see a list of SQL audit results meet the requirements of:

By the example above, you can see, the cloud database management and operation and maintenance is really much simpler than self-built database, users do not care about the way the audit, audit data storage location and so on. But, due to the form of a cloud is a cloud database service to the end user, the user will need to operate in accordance with the requirements and instructions for use of cloud services.

Heavy struck * cloud * 618 take you on cloud database -MySQL just 1% off

Click on "read text" for more details

Reproduced in: https: //juejin.im/post/5cefcc065188256b8b59e60b

Guess you like

Origin blog.csdn.net/weixin_33933118/article/details/91459187
Recommended
NetBSD bans submission of code generated by AI
Ranking
Talk dubbo of LRUCache
Chapter 1 Learning Summary
Introduction to Virtualization
pytorch 调用lstm
Six modules
[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array
mybatis mapper mapping file $ # {} {} understanding and
C language input and output buffer
c language floating-point input and output
andorid P version compatible, refer to Huawei
Daily
More
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)

Code World

© 2018 codetd.com